Wednesday, March 9, 2011

BitLocker on Windows 7

What is BitLocker?

Windows Vista and 7 included the BitLocker functionality to allow for encryption of the drive.

Deployment Problem:

According to the Info Center documentation, OSD is BitLocker ready. Well, not really. The idea is that OSD has the capability of creating a partition that will allow BitLocker to be activated. The problem is that when OSD creates the partition it assigns a driver letter to the partition and this is not something that can be there for BitLocker to function.

Solution:

As of Windows 7 (and Vista SP1(?), but who cares), Microsoft included a tools called bdehdcfg.exe that allows for the ability to take any partition, shrink it by a certain amount and prepare it for BitLocker. In order for BitLocker to work, it requires a minimum of 100MB or 300MB if you also want the recovery console (For Vista this is 1.5 GB). In order to do this, just use a software module that is deployed with the image to execute the bdehdcfg command.

One thing to note with this solution, when the image is deployed, you will end up with a larger partition than expected. The reason for this is that when the bdehdcfg command is executed, the partition ends up being created at the end of the drive and when OSD is completed, it takes the cache partition (about 500MB) and adds it to the last partition on the drive. So if you are defining bdehdcfg to create a 300MB partition, you will end up with a 800MB partition (approx). Currently the only way around this is to have the bdehdcfg execute after the OSD deployment is completed.

BitLocker sounds simple enough to implement, but there are some things to think about that will impact the business

The PIN is used to provide an additional level of security to the BitLocker process. This PIN is set to the computer not to the user(s) of the computer, so if there are multiple users of the system, then they all share the same PIN.

The PIN can only be set with someone with Administrative access. (I have not personally confirmed this, but I was informed of this by an engineering group, so if this is incorrect, please let me know and I will remove)

There is no native method to enforce a password expiry of the PIN

BitLocker can be disabled/paused by anyone with administrative access, thus leaving the system unprotected.

Will require processes to be put in place when users forget their PIN (you know it will happen) and provide the recovery password. This is possibly the hardest part depending on the users and the number of users.

On the plus side:

It is free so you are able implement encryption without additional software expense

When protected, the encryption seems to be as good as any

Encrypting a drive is relatively quick compared to other vendors

Recovering a drive is simple as you just need the recovery password from Active Directory

Did I mention it was free?

Hope this helps you out :)

If you have any other topics you would like covered, send me a note at martin dot carnegie at gulfsoft dot com.